GNOME Bugzilla – Bug 783873
heap-use-after-free nautilus-file.c:2293 in batch_rename_get_info_callback
Last modified: 2017-06-24 17:26:35 UTC
How to reproduce: 1. Select several files/folders -> Right click -> Rename (which shall open batch rename dialog) 2. Give in some sequence -> Click rename. ==6499==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700035ffd8 at pc 0x55c2685ad929 bp 0x7fffa813a1f0 sp 0x7fffa813a1e8 READ of size 8 at 0x60700035ffd8 thread T0 #0 0x55c2685ad928 in batch_rename_get_info_callback ../src/nautilus-file.c:2293 #1 0x7fe65969074e in g_task_return_now /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1145 #2 0x7fe659690796 in complete_in_idle_cb /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1159 #3 0x7fe65b40fa7a in g_idle_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:5586 #4 0x7fe65b4108aa in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3234 #5 0x7fe65b4131dc in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3899 #6 0x7fe65b413336 in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3972 #7 0x7fe65b4133b8 in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:4033 #8 0x7fe6596a976e in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2381 #9 0x55c2684ff5e3 in main ../src/nautilus-main.c:102 #10 0x7fe656cb82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #11 0x55c2684f9529 in _start (/media/sadiq/Main/Software/src/gnome/nautilus/build/src/nautilus+0x38a529) 0x60700035ffd8 is located 8 bytes inside of 80-byte region [0x60700035ffd0,0x607000360020) freed by thread T0 here: #0 0x7fe65b9b4a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x7fe65b418b21 in g_free /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:189 #2 0x55c2685a50cb in nautilus_file_operation_free ../src/nautilus-file.c:1892 #3 0x55c2685abdd1 in nautilus_file_operation_complete ../src/nautilus-file.c:1921 #4 0x55c2685ad90a in batch_rename_get_info_callback ../src/nautilus-file.c:2290 #5 0x7fe65969074e in g_task_return_now /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1145 #6 0x7fe659690796 in complete_in_idle_cb /home/sadiq/jhbuild/checkout/glib/gio/gtask.c:1159 #7 0x7fe65b40fa7a in g_idle_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:5586 #8 0x7fe65b4108aa in g_main_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3234 #9 0x7fe65b4131dc in g_main_context_dispatch /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3899 #10 0x7fe65b413336 in g_main_context_iterate /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:3972 #11 0x7fe65b4133b8 in g_main_context_iteration /home/sadiq/jhbuild/checkout/glib/glib/gmain.c:4033 #12 0x7fe6596a976e in g_application_run /home/sadiq/jhbuild/checkout/glib/gio/gapplication.c:2381 #13 0x55c2684ff5e3 in main ../src/nautilus-main.c:102 #14 0x7fe656cb82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) previously allocated by thread T0 here: #0 0x7fe65b9b4ed0 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0) #1 0x7fe65b418a5e in g_malloc0 /home/sadiq/jhbuild/checkout/glib/glib/gmem.c:124 #2 0x55c268592d10 in nautilus_file_operation_new ../src/nautilus-file.c:1836 #3 0x55c2685ae590 in real_batch_rename ../src/nautilus-file.c:2326 #4 0x55c2685af275 in nautilus_file_batch_rename ../src/nautilus-file.c:2421 #5 0x55c2686f29d4 in begin_batch_rename ../src/nautilus-batch-rename-dialog.c:480 #6 0x55c2686f2c20 in prepare_batch_rename ../src/nautilus-batch-rename-dialog.c:691 #7 0x55c2686f2f1b in batch_rename_dialog_on_response ../src/nautilus-batch-rename-dialog.c:709 #8 0x7fe6593b8ea3 in g_cclosure_marshal_VOID__INTv /home/sadiq/jhbuild/checkout/glib/gobject/gmarshal.c:1200 #9 0x7fe6593b6dc2 in _g_closure_invoke_va /home/sadiq/jhbuild/checkout/glib/gobject/gclosure.c:867 #10 0x7fe6593d3695 in g_signal_emit_valist /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3300 #11 0x7fe6593d4406 in g_signal_emit /home/sadiq/jhbuild/checkout/glib/gobject/gsignal.c:3447 #12 0x7fe65ac19e94 in gtk_dialog_response /home/sadiq/jhbuild/checkout/gtk+-3/gtk/gtkdialog.c:1235 SUMMARY: AddressSanitizer: heap-use-after-free ../src/nautilus-file.c:2293 in batch_rename_get_info_callback Shadow bytes around the buggy address: 0x0c0e80063fa0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e80063fb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x0c0e80063fc0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0e80063fd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00 0x0c0e80063fe0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 =>0x0c0e80063ff0: 00 00 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd 0x0c0e80064000: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e80064010: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x0c0e80064020: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c0e80064030: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0e80064040: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6499==ABORTING
Created attachment 353937 [details] [review] nautilus-file: fix invalid memory access When the operation is freed on the first if, the operation will still be accessed on the second if. To fix this, merge the two if's since they both complete the operation.
Review of attachment 353937 [details] [review]: ::: src/nautilus-file.c @@ +2287,3 @@ + if (op->renamed_files + op->skipped_files == g_list_length (op->files) || + op->files == NULL) Can you put the == NULL first? Otherwise looks good
Created attachment 353975 [details] [review] nautilus-file: fix invalid memory access When the operation is freed on the first if, the operation will still be accessed on the second if. To fix this, merge the two if's since they both complete the operation.
Attachment 353975 [details] pushed as 68cfc99 - file: fix invalid memory access